On 5 June 2015 a directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the “4th Directive”) was published in the Official Journal of the European Union (“EU”). The Directive will come into force on 26 June 2015, but will not be effective in Member States until transposed into local legislation. The deadline for transposing the requirements is 26 June 2017. The 4th Directive will repeal and replace the 3rd Directive, which was published in 2005. Set out below are a number of features of this new Directive which will be relevant to Irish investment funds.
Risk Assessments
There is a general move in the 4th Directive toward promoting a more holistic and thoughtful approach to the prevention of money laundering and terrorist financing. Irish investment funds, as ‘obliged entities’ under the 4th Directive, will be required to conduct regular risk assessments taking into account the risks posed by customers, countries or geographic areas, products, services, transactions or delivery channels. It will be necessary to ensure that there are controls and procedures in place to mitigate these risks. Risk assessments will also be conducted at regular intervals at both national and European Union level.
Risk Based Approach
The 3rd Directive introduced the concept of the risk based approach to customer due diligence (“CDD”). The 4th Directive takes this approach a step further by removing automatic exemptions to performing CDD which were in place for lower risk entity types such as those listed on a regulated EU market, and for investors located in non-EU jurisdictions that impose anti-money laundering (“AML”) requirements considered to be equivalent to those laid down in the 3rd Directive.
Under the 4th Directive funds will be required to risk assess each client individually using specific risk variables outlined in the Directive. Non-exhaustive lists of factors and types of evidence of both potentially higher and lower risk are also provided
The important point is that in every case there should be a documented risk assessment in place to justify and explain the risk assigned to a client. For the most part these changes will not significantly affect how funds perform customer due diligence as, provided they comply with current legislation and guidance which require a proper application of the risk based approach, they will already be substantially in compliance with the new requirements.
Beneficial Ownership
One of the most widely discussed features of the 4th Directive is the introduction of beneficial ownership registers. Each Member State will be required to create a central register where the beneficial ownership of corporate and other legal entities will be recorded. Entities will be required to hold information on their beneficial ownership, and Member States must ensure that this information is recorded in the central register. Although the registers will be available to funds for the purpose of CDD they will not be allowed to rely solely on them to fulfil their CDD obligations.
“Indirect ownership” has now been defined as “a shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s)”. Where the beneficial owner of an entity cannot be identified the 4th Directive allows for the senior managing officials to be determined to be the beneficial owners, provided the reasons for this approach have been documented.
Reliance on Third Parties
Irish investment funds should be aware that, while reliance on third parties to perform CDD continues to be permitted under the 4th Directive, there is an explicit prohibition on relying upon third parties established in high risk third countries (as identified by the European Commission). The only exception to this prohibition is where the third party is a branch or majority-owned subsidiary of an EU-based obliged entity, and is subject to group wide policies and procedures. Under the current regime funds can only place reliance on ‘relevant third parties’ and on a risk-sensitive basis, meaning that the 4th Directive does not imply a significant change to current practice.
Politically Exposed Persons (“PEPs”)
Domestic PEPs will be subject to enhanced due diligence as a result of the changes in the 4th Directive, along with senior figures in international organisations. Funds will now be required to identify cases where a beneficial owner is a PEP and apply enhanced CDD accordingly, whereas the 3rd Directive only required this in the case that the PEP was the direct customer. This obligation already applies to funds under current Irish AML legislation. The 4th Directive also imposes a requirement to continue to assess the risk posed by PEP customers for a minimum period of 12 months after ceasing to hold the public function that qualified them for PEP status. Under the 3rd Directive PEP status automatically ceased on expiry of this 12 month period. Investment funds must now consider if an investor should be treated as a PEP beyond the minimum 12 month period.
Senior management approval of PEP relationships (and any other customer requiring enhanced due diligence) is not a new requirement, but the 4th Directive provides a welcome clarification on who can provide this approval. It does not always have to be a member of the board of directors, but can be “someone with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and of sufficient seniority to take decisions affecting its risk exposure”.
Data Protection
The 4th Directive introduces a general requirement to delete personal data after the expiry of the minimum retention period of 5 years. In certain circumstances personal data can be retained for a longer period, but only for a maximum of a further 5 years.
Sanctions
The 4th Directive requires that Member States ensure that a range of administrative sanctions and measures are available for breaches of requirements relating to CDD, suspicious transaction reporting, record-keeping and internal controls, which are ‘serious, systematic, or a combination thereof’. These include public statements identifying sanctioned entities or individuals and the nature of the breaches, ‘cease and desist’ orders, withdrawal or suspension of authorisation, and temporary bans on managers held responsible for breaches. Additionally, maximum pecuniary administrative sanctions for financial and credit institutions must be at least €5,000,000 or 10% of their total annual turnover.
Suspicious Transaction Reporting
The definition of criminal activity will be updated to include serious ‘tax crimes’ as defined in the national laws of Member States. The implication is that, where obliged entities know, suspect or have reasonable grounds to suspect that investors are involved in tax crimes, obligations around reporting of suspicious transactions will apply.
The 4th Directive expands the scope of AML requirements applicable to funds, as well as clarifying a number of issues which had been included within the scope of its predecessor. Funds will have to reflect these changes in their own policies and procedures and consider the practical implications on the management of their AML obligations.
The European Commission and the European Supervisory Authorities (“ESAs”) will provide guidance and technical standards to assist in the implementation of the 4th Directive. This is a minimum harmonisation Directive which means that Member States are free to implement or maintain requirements that are stricter than those contained in the Directive itself.
Cliff Burke
+353 1 6671985
clifford.burke@kbassociates.ie
Áine Suttle
+353 1 6671984
aine.suttle@kbassociates.ie